Securing a wireless network and monitoring for threats are absolute necessities, but both are worthless unless proper security policies are in place. What good is an 802.1X/EAP solution if the end users share their passwords? Why purchase an intrusion detection system if a policy has not been established on how to deal with rogue access points?

More and more businesses have started to amend their network usage policies to include a wireless policy section. If you have not done so already, a WLAN section should absolutely be added to the corporate security policy.

Two good resources for learning about best practices and computer security policies are the SANS Institute and the National Institute of Standards and Technologies (NIST).

General Security Policy

When establishing a wireless security policy, you must first define a general policy. A general wireless security policy establishes why a wireless security policy is needed for an organization.

Even if a company has no plans for deploying a wireless network, there should be at a minimum a policy for how to deal with rogue wireless devices.

A general wireless security policy will define the following items:

• Statement of authority - Defines who put the wireless policy in place and the executive management that backs the policy.

• Applicable audience - Defines the audience to whom the policy applies, including employees, visitors, contractors, and so on.

• Violation reporting procedures - Defines how the wireless security policy will be enforced, including what actions should be taken and who is in charge of enforcement.

• Risk assessment and threat analysis - Defines the potential wireless security risks and threats and what the financial impact will be on the company if a successful attack occurs.

• Security Auditing - Defines internal auditing procedures as well as the need for independent outside audits.

Functional Security Policy

A functional policy is also needed to define the technical aspects of wireless security. The functional security policy establishes how to secure the wireless network in terms of what solutions and actions are needed.

A functional wireless security policy will define the following items:

• Policy essentials Defines basic security procedures such as password policies, training, and proper usage of the wireless network.

• Baseline practices Defines minimum wireless security practices such as configuration checklists, staging and testing procedures, and so on.

• Design and implementation Defines the actual authentication, encryption, and segmentation solutions that are to be put in place.

• Monitoring and response Defines all wireless intrusion detection procedures and the appropriate response to alarms.

Legislative Compliance

In most countries there are mandated regulations on how to protect and secure data communications within all government agencies. In the United States, the National Institute of Standards and Technologies (NIST) maintains the Federal Information Processing Standards (FIPS).

Of special interest to wireless security is the FIPS 140-2 standard, which defines security requirements for cryptography modules. The use of validated cryptographic modules is required by the United States government for all unclassified communications.

Other countries also recognize the FIPS 140-2 standard or have similar regulations. In the United States, other legislation exists for protecting information and communications in certain industries.

Some of these include:

• HIPAA - The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for electronic health care transactions and national standards for providers, health insurance plans, and employers. The goal is to protect patient information and maintain privacy.

• Sarbanes-Oxley - The Sarbanes-Oxley Act of 2002 defines more stringent controls on corporate accounting and auditing procedures with a goal of corporate responsibility and enhanced financial disclosure.

• GLBA - The Gramm-Leach-Bliley Act requires banks and financial institutions to notify customers of policies and practices of disclosing customer information. The goal is protect personal information such as credit card numbers, social security numbers, names, addresses, etc.

802.11 Wireless Policy Recommendations

Although a very detailed and thorough policy document should be created, we highly recommend these five wireless security policies:

• Remote Access WLAN Policy - End users will be taking their laptops and handheld devices off site and away from company grounds. Most users will likely use wireless networks at home and at wireless “hotspots” to access the Internet.

By design, many of these remote wireless networks have absolutely no security in place, and it is imperative that a remote access WLAN policy be strictly enforced.

This policy should include the required use of an IPSec VPN solution to provide device authentication, user authentication, and strong encryption of all wireless data traffic. Hotspots are prime targets for malicious eavesdropping attacks.

Personal firewalls should also be installed on all remote computers to prevent peer-to-peer attacks. Personal firewalls will not prevent hijacking attacks or peer-to-peer attacks but will prevent attackers from accessing most critical information.

The remote access policy is mandatory because the most likely location for an attack to occur is at a public access hotspot.

• Rogue AP Policy - No end users should ever be permitted to install their own wireless devices on the corporate network. This includes access points, wireless routers, wireless hardware USB clients, and wireless cards.

Any users installing their own wireless equipment could potentially open unsecured portals into the main infrastructure network. This policy should be strictly enforced.

• Ad-Hoc Policy - End users should not be permitted to set up ad-hoc or peer-to-peer networks. Peer-to-peer networks rarely use encryption, are susceptible to peer attacks, and can also serve as an unsecured portal to the infrastructure network if the computer’s Ethernet port is also in use.

• Wireless LAN Proper Use Policy - A thorough policy should outline the proper use and implementation of the main corporate wireless network. This policy should include proper installation procedures, proper security implementations, and allowed application use on the wireless LAN.

• IDS Policy - Policies should be written defining how to properly respond to alerts generated by the wireless intrusion detection system. An example would be how to deal with the discovery of rogue access points and all the necessary actions that should take place.

These five policies are simplistic but are a good starting point in writing a wireless security policy document. We recommend that the built-in Microsoft Windows XP Wi-Fi client utilities known as the Wireless Zero Configuration (WZC) service be disabled at all times due to numerous documented security risks.

We recommend using one single vendor’s software client or using third-party client utilities if multiple vendor cards must be supported.